The insurance sector has a role to play in plugging cyber security gaps, says cyber risk expert

A change in ransomware tactics from a “spray and pray approach” to “big game hunting” could be a good thing for cyber insurers.

This is because insurers are used to covering higher value individual events rather than mass distributed events, according to Axis Capital cyber risk advisor John Donald.

“Insurance knows how to deal with [larger individual events] and has done ever since the Titanic went down,” he said.

Speaking at network Insurance Law Global’s Spectrum 2022 event, held last week (31 March 2022), Donald explained that today’s cyber criminals had generally adopted the strategy of “big game hunting” – picking their targets carefully by searching for organisations “where cyber defences are weak and they’re large enough to afford a big ransom”.

This has led to a “dramatic increase” in the average value of ransomware payments, he added.

A survey published by cyber security firm CrowdStrike in December 2021 corroborated this trend, finding that the average commercial ransomware payment had increased from from £840,000 in 2020 to £1.37m in 2021.

Donald also argued that the dangers of ransomware “could be approaching a peak” as cyber security measures and responses to attacks become increasingly effective and efficient.

“Maybe there is a limit to how far [ransomware] is going to go and it will end up as an endemic problem, something we’ll all learn to live with,” he added.

Plugging the gaps

Donald was keen to emphasise that the dangers of ransomware would be lessened by overall increased preparedness and an increased response to attacks, rather than criminals simply giving up.

Indeed, he explained that ransomware as a service, whereby ransomware software developers either sell their software packages or contract out their services, has increased the risk of ransomware by providing potential threat actors with improved capabilities to carry out attacks.

However, he noted that ever-increasing security measures alone wouldn’t necessarily translate into better cyber security.

“There’s a point where you may be increasing the strictures of your cyber controls on your users, but your security level is actually going down because [those users] are investing more time into escaping or evading them,” Donald said.

This could mean that effective security measures would peak at providing around 60% of total cyber security for firms, he estimated. Accounting for the remaining 40% of organisations’ cyber security could present an opportunity for cyber insurers, however.

Donald said: “The point here is that cyber security is not just an IT problem and of course this is where insurance can come in, to help plug that 40%.”